barns.blog

With 2009 already under-way, progress is happening in my Masters at a steady pace. With just under six months to go until the end of July, my work is in full swing, with a mixture of writing, algorithmic construction, testing and other activities. Over the next month, most of the development work should be completed. This is, of course, somewhat dependant on my teaching not getting too much in the way.

Thereafter, my algorithms and the sfPortscan algorithm from Snort will be tested and statistically analysed. Thereafter, I plan on finalising my write-up and handing in.

In the interim, I have plans to submit papers to several conferences during the course of the year, the first list includes ISSA, RAID, SATNAC, SAICSIT and CISSE (in chronological order of submission dates). I also hope to get a journal article out during the course of the year.

So, onward with 2009…

I have submitted my Work In Progress Paper for SATNAC, under the title of An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems.

Abstract

Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner.

Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes University in which these flaws are being addressed. In particular, this research will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into consideration the improvements which are identified over the course of the research.

Well, today is the start of SATNAC and Barry is there presenting his paper (technically, Nick, Blake and I had a hand in it as well). I’ll try get a PDF of it from him to put here… In the interim, I’m in a bad mood as my testing isn’t going really well and whilst I had planned on having all week, I now only have a few days.

Actual deployment seems to be going ok, but I’m sure I’ll encounter problems soon enough… In the interim, time for lunch.